SAP HANA Content Security Roles Setup

SAP HANA Content Security Roles Setup A few months ago I was given a task to implement content security in SAP HANA. The main purpose for this task was to provide Business user access to information models created in SAP HANA. For example Finance user should only view finance package and can access information models in that package via BI tools such as Analysis for excel. So, after a research and few discussions with various people I came up with following security model.

Let's assume that content is maintained in following structure:

So based on each type of privilege I created the roles as shown below: System Privilege Roles These roles are mainly needed for System admin tasks (technical role) X_HNS = S for System Privilege role

Role

Privilege

Assigned

Name

Type

Privileges

X_HNS_USERADMIN

System This role can create users, change their password and delete users

Privilege

USER ADMIN

X_HNS_ROLEADMIN

System This role can create roles, alter roles and drop roles with SQL commands1

Privilege

ROLE ADMIN

X_HNS_SYSADMIN INIFILE ADMIN System LICENSE ADMIN This roles can administer HANA

Privilege

LOG ADMIN

system, alter system parameters and execute ALTER commands to change

SERVICE ADMIN

system

SESSION ADMIN TRACE ADMIN AUDIT ADMIN X_HNS_SYSMON

This role can change alert, enable

System

CATALOG READ

Privilege

MONITOR ADMIN

logging and view logs to monitor system

CREATE SCENARIO CREATE STRUCTURED PRIVILEGE

X_HNS_CONTENTADMIN

A.

REPO.EXPORT

B.

REPO.IMPORT

C.

REPO.MAINTAIN_DELIVERY_UNITS

System D. REPO.WORK_IN_FOREIGN_WORKSPACE This role can create, alter, import, export and drop content.

Privilege

STUCTUREDPRIVILEGE ADMIN CATALOG READ CREATE REMOTE SOURCE

X_HNS_DATAADMIN CREATE SCHEMA System

IMPORT

Privilege

EXPORT

This role can create schema, import and export tables and drop tables

Object Privilege Roles X_HNO = O for Object Privilege Role

Role

Privilege

Assigned

Name

Type

Privileges

_SYS_BI (SELECT, EXECUTE) You would only need this _SYS_BIC (SELECT, EXECUTE) if you are using HANA studio to access

X_HNO_CONTENT_READ

views. Not using this for BI tools provides more security in terms of displaying activated views. Access Object This role give read access to activated views

to SYS_BIC will provide access to all activated views and therefore this model will be invalid. We can create

Privilege

separate role for this privilege

X_HNO_CONTENT_WRITE _SYS_BI (EXECUTE, SELECT, INSERT, UPDATE, DELETE) This role give write access for

Object

activated views and read access to schema

_SYS_BIC (CREATE ANY, ALTER, DROP, EXECUTE, SELECT, INSERT, UPDATE, DELETE,

Privilege

INDEX)

Object X_HNO_CONTENT_LIST

Privilege

REPOSITORY_REST (EXECUTE)

X_HNO_SCHEMA_READ Object Where SCHEMA can be changed with required SCHEMA name

Privilege

SCHEMA (SELECT)

Object

SCHEMA (CREATE ANY, ALTER, DROP,

X_HNO_SCHEMA_WRITE EXECUTE, SELECT, INSERT, UPDATE, DELETE,

Where SCHEMA can be changed with required SCHEMA name

Privilege

INDEX)

Object X_HNO_FI_CONTENT

Privilege

_SYS_BIC.FI Column Views

Object X_HNO_CO_CONTENT

Privilege

_SYS_BIC.CO Column Views

Object X_HNO_IM_CONTENT

Privilege

_SYS_BIC.IM Column Views

Object X_HNO_LE_CONTENT

Privilege

_SYS_BIC.LE Column Views

Object X_HNO_MM_CONTENT

Privilege

_SYS_BIC.MM Column Views

Object X_HNO_PA_CONTENT

Privilege

_SYS_BIC.PA Column Views

Object X_HNO_PU_CONTENT

Privilege

_SYS_BIC.PU Column Views

Object X_HNO_SD_CONTENT

Privilege

_SYS_BIC.SD Column Views

Object X_HNO_SP_CONTENT

Privilege

_SYS_BIC.SP Column Views

Package Privilege Roles

Role

Privilege

Assigned

Name

Type

Privileges

X_HNP_FI_READ

Package This role give read access to Package FI

Privilege A. REPO.READ on FI

X_HNP_IM_READ

Package This role give read access to Package IM

Privilege A. REPO.READ on IM

X_HNP_LE_READ

Package A.

REPO.READ on LE

Privilege This role give read access to Package LE X_HNP_MM_READ

Package This role give read access to Package MM

Privilege A. REPO.READ on MM

X_HNP_PP_READ

Package This role give read access to Package PP

Privilege A. REPO.READ on PP

X_HNP_PU_READ

Package This role give read access to Package PU

Privilege A. REPO.READ on PU

X_HNP_SD_READ

Package This role give read access to Package SD

Privilege A. REPO.READ on SD

X_HNP_SP_READ

Package This role give read access to Package SP

Privilege A. REPO.READ on SP

X_HNP_CO_READ

Package This role give read access to Package CO

Privilege A. REPO.READ on CO

X_HNP_PA_READ

Package A.

REPO.READ on PA

Privilege This role give read access to Package PA X_HNP_ROOT_WRITE

A.

REPO.READ

A.

REPO.EDIT_NATIVE_OBJECTS

A.

REPO.ACTIVATE_NATIVE_OBJECTS

Package A. REPO.MAINTAIN_NATIVE_PACKAGES This role give edit access to ALL Packages

Privilege

on ROOT

Analytic Privilege Roles

There can be many analytic privileges assigned to a role. For example: I am creating one single analytic privilege first and then create a role for department with this analytic privilege. In future, more analytic privileges can be added to it. In our case, we are not using analytic privileges which means no attribute restrictions

X_HND = D for Data level restriction

Analytic Privilege

Attributes Package

Content

Restrictions

column views under X_HND_CO_AP1

CO

_SYS_BIC.CO/

NA

All column views under X_HND_FI_AP1

FI

__SYS_BIC.FI/

NA

column views under X_HND_IM _AP1

IM

X_HND_LE _AP1

LE

X_HND_MM _AP1

MM

__SYS_BIC.IM/

NA

column views under _SYS_BIC.LE/

NA

column views under _SYS_BIC.MM/

NA

column views under X_HND_PP _AP1

PP

_SYS_BIC.PP/

NA

X_HND_PA _AP1

PA

column views under

NA

__SYS_BIC.PA/ column views under X_HND_PU _AP1

PU

_SYS_BIC.PU/

NA

column views under X_HND_SD _AP1

SD

_SYS_BIC.SD/

NA

All column views

No Restrictions. Currently

_SYS_BI_CP_ALL

ROOT

under _SYS_BIC

being used

Now the Analytic Roles

X_HNA = A for Analytic Privilege roles

Role

Analytic

Name

Privilege

X_HNA_FI

X_HND_FI_AP1

X_HNA_IM

X_HND_IM_AP1

X_HNA_LE

X_HND_LE_AP1

X_HNA_CO

X_HND_CO_AP1

X_HNA_MM

X_HND_MM_AP1

X_HNA_PU

X_HND_PU_AP1

X_HNA_PP

X_HND_PP_AP1

X_HNA_PA

X_HND_PA_AP1

X_HNA_SD

X_HND_SD _AP1

X_HNA_ALL

_SYS_BI_CP_ALL (This one is being used only)

Let's take a look at how we can use system privilege roles to create technical roles:

Technical Roles

Role Granted Roles

Name

Y_HNT_SECURTY

X_HNS_USERADMIN Add/delete/edit users and assign other roles

X_HNS_ROLEADMIN X_HNS_USERADMIN X_HNS_ROLEADMIN X_HNS_SYSADMIN

Y_HNT_ADMINS

X_HNS_SYSMON X_HNS_CONTENTADMIN

Perform admin tasks and security tasks

X_HNS_DATAADMIN X_HNS_CONTENTADMIN X_HNO_SCHEMA_READ X_HNO_CONTENT_WRITE

Y_HNT_CONTENT_DEVS X_HNO_CONTENT_LIST X_HNP_ROOT_WRITE Create and activate information models in packages

X_HNA_ALL

Now, lets take a look at functional role example. In this example, Finance user A need access to FI package and it's information views. So, in this case create a functional role for Finance department and add user A into it.

Role Name

Granted Roles

X_HNO_CONTENT_READ Y_HNF_FI

X_HNO_FI_CONTENT X_HNP_FI_READ X_HNA_ALL

In the same way we can create other functional roles depending upon our requirements then assign them to user. Now, it is not mandatory that everyone follow this way to setup rule but it can be used as reference.